Re: Secure name service for Solaris (was: RPCSEC_GSS and NIS etc)

From: Darren Moffat (Darren.Moffat@eng.sun.com)
Date: 08/29/01 

Message-Id: <200108291913.f7TJDe9d229645@jurassic.eng.sun.com>
Date: Wed, 29 Aug 2001 12:13:40 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@eng.sun.com>
Subject: Re: Secure name service for Solaris (was: RPCSEC_GSS and NIS etc)
To: VIvanov@tee.toshiba.de

>> > What about other RPC-based services? NIS, NIS+, rpc.rstatd ?
>> > Or all applications need to be rewritten with new API?
>>
>> NIS no - it doesn't even use AUTH_DH (aka AUTH_DES).
>> NIS+ kind of yes. It does use RPCSEC_GSS but only for dh640-0 and
>> dh1024-0. It can't be used to used Kerberos.
>
>Is there plans for doing this? I think no one is taking care of NIS now,
>but may be NIS+?

I can't discuss product futures on an public mailing list. You should
contact your Sun sales person and ask them, it will probably require
an NDA/CDA.

>For now there is a possibility for pam_unix to store passwords on
>ldap, but this makes things not better than just NIS. Also there is
>pam_ldap, but as far as i understand this is even worse.

When using pam_unix and listing ldap in nsswitch.conf you are using
LDAP as a NIS like repository.

When using pam_ldap you do an LDAP bind to authenticate rather than
a getpwnam/crypt/strcmp.

It depends on what directory server you are using how secure this is
because you need the same the authentication method used by pam_ldap(5)
and the directory server.

The following Sun Blueprints would be of interest to those looking at LDAP:

http://www.sun.com/blueprints/1099/solaris.pdf
http://www.sun.com/blueprints/0200/ldap.pdf
http://www.sun.com/blueprints/0800/iplanet.pdf

>AFAIK there is also NIS+ for HP-UX and (client-only) for Linux,
>does anyone knows how are these implementations compatible to SUN
>implementation of NIS+?

The Linux implementation is a "reverse engineered" approach and doesn't
to my knowlege contain any Sun contributed code.

I believe the HP-UX NIS+ is derived from the ONC+ code which is licensed from
Sun and contains Sun code.

I'm not sure if HP-UX has the dh640-0 dh1024-0 support which requires
RPCSEC_GSS. 

--
Darren J Moffat

Relevant Pages

  • Summary: NIS+ and LDAP - Single sign on
    ... The overwhelming response was that NIS+ is proprietary and that Sun will not ... The majority of the responses indicate that LDAP is the way to go. ... I mainly need this for authentication (login ... Everybody is going LDAP these days: Sun, ...
    (SunManagers)
  • Re: Hardening NIS+
    ... are you aware that Sun has already announced EOL for NIS+ ... > Solaris and supporting them as Sun products. ... > I haven't seen a Solaris 9 install or if they've made using LDAP with PAM ...
    (Focus-SUN)
  • I can not su to root on my Sun Solaris 9 (SPARC) box, even with the correct password
    ... I used the correct root password but still am not able to ... I have the following configured and running on my Sun box. ... I am using NIS / YP for my authentication and this Sun box is ... NOT neither running as an NIS master nor as an NIS slave server. ...
    (comp.unix.solaris)
  • I can not su to root on my Sun Solaris 9 (SPARC) box, even with the correct password
    ... I used the correct root password but still am not able to ... I have the following configured and running on my Sun box. ... I am using NIS / YP for my authentication and this Sun box is ... NOT neither running as an NIS master nor as an NIS slave server. ...
    (comp.unix.solaris)
  • I can not su to root on my Sun Solaris 9 (SPARC) box, even with the correct password
    ... I used the correct root password but still am not able to ... I have the following configured and running on my Sun box. ... I am using NIS / YP for my authentication and this Sun box is ... NOT neither running as an NIS master nor as an NIS slave server. ...
    (comp.unix.questions)